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Preface 


NetWare® Web Manager is the tool you use to manage global preferences for 
all other Novell® Web Services, including the NetWare Enterprise Web and 
News Servers. Using any Web browser such as Netscape* Navigator* or 
Communicator*, you can manage your Novell® Web Services from any place 
on the Internet. 


With Novell® Directory Services® (NDS®), you can manage users, groups, 


and resources from a common directory where information is only stored 
once. 


What’s in This Documentation? 


This documentation describes NetWare Web Manager and covers basic 
concepts common to all NetWare Web Services included in NetWare 5.1. It 
also describes how to configure NetWare Web Manager, contains in-depth 
information about command-line tools, and shows you how to 


¢ Start and stop NetWare Web Manager 


+ Configure multiple NetWare Web Services from a single Web Manager 
(cluster management) 


+ Configure and use a local database, LDAP, or NDS mode to manage users 
and groups for access control to your servers 


+ Build access control lists to restrict who can use your servers. 
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Web Browser Requirements 


To configure any of the NetWare Web Services, you need a Web browser, 
such as Netscape Navigator or Navigator Gold* 3.0 or later, Netscape 
Communicator, Internet Explorer* or any other browser that supports Java* 
and JavaScript*. If you don’t have a browser installed on your computer, 
install the version of Netscape Navigator from your Novell CD. You must 
enable Java or JavaScript in your Web browser because all of the 
configuration forms in Web Manager and the server managers use one or both 
of these forms of Java to function. 
To enable Java in Netscape Navigator: 

4 From the browser window, click Options > Network Preferences. 

2 Select the Language tab and make sure Java and JavaScript are checked. 

3 Click OK. 
To enable Java in Netscape Communicator: 

4 From the Communicator browser window, click Edit > Preferences. 

2 Select the Advanced category in the left column. 

3 Check the Enable Java and Enable JavaScript check boxes. 

4 Click OK. 


To enable Java in Internet Explorer 4 or higher: 


41 From the Internet Explorer browser window, click Tools > Internet 
Options. 


2 Select the Advanced tab. 
3 Under Java VM, check Java JIT Compiler Enabled. 


4 Click OK. 


10 Managing NetWare Web Servers 


Novell Technical Support 


The Novell Support Connection™ provides access to Novell’s networking 
expertise through the Novell Support Connection Web site, the Novell 
Support Connection CD, and support programs for customers and partners. 
By using the Novell Support Connection Web site or CD, you can connect to 
the same networking knowledge used by Novell technical support engineers. 
In addition, the Web site provides an open Internet-based forum for users and 
partners to share technical support information and solutions. The forums are 
staffed by volunteer System Operators (SysOps) who are invited and 
sponsored by Novell to answer questions posted in the forums. The Web site 
also offers information on Advanced Technical Training videos, CB Ts and 
conferences. 
For additional support, we encourage users to contact a Novell partner. Users 
can locate qualified partners using the Novell Support Connection Web site. 
Searches are based on geographic location, product expertise, or both. 
Visit Novell Support Connection at: 

+ Americas (http://support.novell.com) 

+ Europe, Middle East, and Africa (http://support.novell.de) 

¢ Asia Pacific (http://support.novell.com.au) 
or call: 

+ Americas (English): 1-800-858-4000/801-861-4000 

+ Europe, Middle East, and Africa (English): (49) 211 5632 744 

+ French: (49) 211 5632 733 

+ German: (49) 211 5632 777 

+ Asia Pacific (English): (61) 2 9925 3133 


See the Novell Support Connection Web site (http://support.novell.com) for a 
complete list of languages and support telephone numbers. 


Preface 11 


To order the Novell Support Connection CD, call 1-800-377-4136 or 1-303- 
297-2725 or visit the Novell Support Connection Web site (http:// 
support.novell.com). 
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NetWare Web Manager Basics 


This section describes the concepts behind NetWare® Web Manager and the 
Server Manager forms you use to configure Web services. For help on using 
specific forms in a Server Manager, click the Help button at the bottom of each 


form. 


Because every NetWare Web Service is configured using NetWare Web 
Manager and the Server Manager forms, you can easily configure your servers 
remotely, using any computer in your network. 


Figure 1 Remotely Configuring NetWare Web Services 


You can use any computer in the 
ee network to access NetWare Web 
Manager and the configuration forms. 










Network 


One computer runs both NetWare 
Web Manager and other Web 
Services. 





Using NetWare Web Manager 


NetWare* Web Manager is the browser-based management tool you use to 
configure and manage the following NetWare Web services: 
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+ 


NetWare Enterprise Web Server: An HTTP server used to serve up Web 
pages to the Internet or to an intranet. 


+ 


NetWare News Server: A news server used to manage Internet or intranet 
newsgroups for discussing and sharing information. 


+ 


NetWare Web Search Server: A search server used to build indexes for 
adding searching capabilities to your Internet or intranet Web sites and 
can index content located on file or Web servers. 


+ 


NetWare Multimedia Server: A multimedia server used to serve up 
multimedia content to Web browsers. 


NetWare Web Manager also allows you to manage your users and groups 
using a local database, LDAP, or Novell Directory Services* (NDS*), manage 
one or more Web services from a single Web browser, and enable or disable 
Secure Sockets Layer (SSL). 


When you install additional NetWare Web services, they are managed from 
within NetWare Web Manager. Because the forms for each Web service have 
a consistent look and feel, you can quickly learn to configure and manage any 
other service. 


NetWare Web Manager is installed when you install your first NetWare Web 
Service. The directory where you install the servers is called the server root 
directory. 


After installing a server and NetWare Web Manager, use your browser to 
navigate to NetWare Web Manager, then click its forms to configure your 
servers. When you submit a form, the Web Manager modifies various 
configuration files on your NetWare server for the server you are 
administering. 


The URL you use to navigate to NetWare Web Manager depends on the 
computer hostname and the port number you choose when you install any 
NetWare Web Service. For example, 1f you installed NetWare Web Manager 
on port 2002, the URL might look like this: 
https://myserver.novell.com:2002 


or 
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https://137.95.65.150:2002 


Before you can access NetWare Web Manager, you are prompted to type a 
username and password. You set up the administrator username and password 
when you install the first NetWare Web Service and NetWare Web Manager 
on your computer. 


The first page you see when you access NetWare Web Manager is called the 
General Administration page (see “The Server Administration Page” on page 
16). Your General Administration page might look different depending on the 
Web Services you have installed. 


+ The General Administration page contains buttons for configuring 
NetWare Web Manager settings, which are global settings that affect all 


other installed Web Services. 


+ Servers Supporting General Administration displays all of the Web 
Services installed on the computer (in the same server root directory). 
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Figure 2 The Server Administration Page 
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Using the Server Manager Forms 


The collection of forms used to configure a single server is called the Server 
Manager. NetWare Web Manager contains a Server Manager for each Web 
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Service installed on the computer, including one for NetWare Web Manager 
itself. 


The Server Administration page, shown in Figure 2, “The Server 
Administration Page,” on page 16, contains links to each Server Manager. 


+ To configure general server preferences, click one of the links on the 
NetWare Web Manager page. 


+ To configure a specific server, click the server name button. For help 
configuring a particular server, see that server’s documentation or click 
Help in any online form. 


After clicking a button, you’ll see a Server Manager for the server name you 
clicked. A Server Manager appears as a three-framed page with buttons in the 
top frame and links in the left frame (see Figure 3, “Enterprise Server’s Server 
Manager Page,” on page 18). 
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Figure 3 Enterprise Server’s Server Manager Page 
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To use the Server Manager, click a category button in the top frame (for 
example, Server Preferences), then click a link in the left frame (for example, 
Network Settings). A form appears in the remaining frame where you select 
options and specify values that configure the server. To submit your changes 
in the form, click OK. Click Help in any form to get specific directions on 
using that form. 
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To return to the Server Administration page, click the Server Administration 
button in the top frame of the Server Manager. 


Stopping NetWare Web Manager 


If you enable enduser access to NetWare Web Manager, you should keep 
NetWare Web Manager running as much as possible. If you don’t enable 
enduser access, consider shutting down NetWare Web Manager when you 
aren't using it. This minimizes chances of a break in, which could happen if 
someone learns any of your administrator passwords. 


To shut down NetWare Web Manager: 


4 Under General Administration, click Admin Preferences > Shut Down 
Web Manager. 


2 Click Shut Down the Administration. 
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Configuring NetWare Web Manager 


This section describes the forms in the Admin Preferences and Global Settings 
categories of General Administration. 


Configuring the System User and Port Number 


Network settings affect the way NetWare® Web Manager runs. You can 
change the system user account that runs the Web Manager. This is a user 
account you set up with your computer”s operating system (by default, the 
user is Admin). 


You can also change the port number NetWare Web Manager listens to. The 
port number can be any number between 80 and 65,535, but it is typically a 
random number greater than 2000. For security reasons, consider changing the 
port number regularly. 


To change NetWare Web Manager”s port number: 


4 From the General Administration page, click Admin Preferences > 
Network Settings. 


2 In the Web Manager Port field, type the port number you want NetWare 
Web Manager to use. 


3 Click OK. 


4 Restart the server for the settings to take effect. 
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Securing Web Manager 


Secure Sockets Layer (SSL), enabled by default when NetWare Web Manager 
1s installed, is used to secure your NetWare Web Manager. Once enabled, you 
must use HTTPS to access Web Manager. 


Once SSL is enabled, you can then use ConsoleOne to install Public Key 
Infrastructure Services (PKIS). When you install the Novell Certificate Server 
(during the NetWare installation), a Key Material Object (KMO) was created 
by default. A KMO, also called a server certificate object, includes a server 
certificate and key pair files. 


To enable or disable SSL in Web Manager: 


4 From the General Administration page of Web Manager, click Admin 
Preferences > Turn On/Off SSL. 


2 Click On to enable, or Off to disable SSL. 


3 From the Server Certificate drop-down list, select the Server Certificate 
object you want to use for SSL encryption. 


HINT: See ConsoleOne Help for more information about configuring 
security and PKIS. 


4 Click OK. 


For more information on installing and configuring the Novell Certificate 
Server, refer to the Novell Documentation Web site (http://www.novell.com/ 
documentation) for the Novell Certificate Server Installation Guide and the 
Enterprise Web Server Administration Guide. 


Configuring Distributed Administration 


Distributed administration lets multiple administrators change specific parts 
of the server. 


An administrator can bypass the Server Administration page and go directly 
to the Server Manager forms for a specific server, including NetWare Web 
Manager. An administrator can perform limited administrative tasks and can 
make changes that affect other users, such as adding users or changing access 
control. 
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Working with Log Files 


Server log files can help you monitor your server’s activity. You can use these 
logs to monitor your server and troubleshoot problems. Server logs are in a 
Common Log file Format, a commonly supported format that provides a fixed 
amount of information about the server. 


The ERROR log file, located in ADMIN/LOGS in the server root directory, 
lists all the errors the server has encountered. 


The ACCESS log file, located in ADMIN/LOGS in the server root directory, 
records information about requests to the server and the responses from the 
server. You can specify what is included in the ACCESS log file under General 
Administration. 


To configure logging options for NetWare Web Manager: 


4 Under General Administration, click Admin Preferences > Logging 
Options. 


2 In the Log Accesses To field, type a path to the directory where you want 
NetWare Web Manager to store the ACCESS log file. 


You can type either an absolute path or a path relative to your server root 
directory. Leaving this field blank deactivates access logging. 


3 Click OK. 


Viewing an Access Log File 


You can view the server’s active and archived access log files under General 
Administration. 


To view an access log: 


4 Under General Administration, click Admin Preferences > View Access 
Log. 


2 In the list below the OK, Reset, and Help buttons, select the access log 
file you want to see. 
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Active log files for resources and archived log files appear in the list. 


3 In the Number of Entries field, type the number of lines you want the 


access log to display. 


4 In the Only Show Entries With field, type the particul 
filter the access log entries for. 


ar word you want to 


Case is important. If you use this search feature, the Number of Entries 
field determines how many entries to search, not how many will display. 


5 Click OK. 


The following is a sample of an access log in the Common Log file Format: 
a.nov.com - [16/May/1999:21:18:26 -0800] “GET /admin-serv/ 


icons/dot.gif HTTP/1.0” 200 2575 


a.nov.com - [17/May/1999:11:04:38 -0800] “GET /admin-serv/ 


bin/frames?index+pref HTTP/1.0” 204 342 





a.nov.com - [20/May/1999:14:36:53 -0800] “GET /admin-serv/ 





manual/ag/config.htm HTTP/1.0” 200 890 


arrow.a.com -[20/May/1997:14:36:53 -0800] “GET /admin-serv/ 


manual/ag/so.gif HTTP/1.0” 401 571 


Table 1 Last Line of Access Log 





ACCESS Log Field Example 





Hostname or IP address user.novell.com In this case, the hostname is shown because the server is 
of client using DNS lookups; if DNS cannot resolve the name or if DNS lookups are 


disabled, the client's IP address would appear. 


Username john (username entered by the client for authentication) 
Date/time of request 29/Mar/1998:4:36:53 -0800 

Request GET /help 

Protocol HTTP/1.0 

Status code 401 

Bytes transferred 571 
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Viewing the Error Log File 


The ERROR log file contains errors the server has encountered after the log 
file was created. It also contains informational messages about the server, such 
as when the server was started and who tried unsuccessfully to login to the 
server. 


To view the ERROR log file: 


4 Under General Administration, click Admin Preferences > View Error 
Log. 


2 In the Number of Errors to View field, type the number of lines you want 
to see. 


3 In the Only Show Entries With field, type the particular word that you 
want to filter the error messages for. 


This field is case sensitive. 
4 Click OK. 


The following is an example of an error log: 

[13/May/1999:16:56:51] info: successful server startup 

[13/May/1999:16:56:51] info: NetWare Web-Administrator 
97.117.0455 

[13/Mar/1999:19:08:52] security: for host user.mozilla.com 
trying to GET /admin-serv/bin/index, acl-state reports: 
access of /usr/suitespot/bin/admin/admin/bin/index denied 
by ACL admin-serv directive 3 

[13/May/1999 20:05:43] failure: for host ceo.mozilla.com 
trying to POST /admin-serv/bin/distadm, cgi-parse-output 
reports: the CGI program /usr/suitespot/bin/admin/admin/ 
bin/distadm did not produce a valid header (program 
terminated without a valid CGI header. Check for core dump 
or other abnormal termination) 
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Managing Clusters 


This section describes how to manage clusters of servers and explains how 
you can use clusters to share configurations among various types of servers. 
The online help contains directions for creating and managing clusters. In the 
NetWare® Web Manager, click the Help button at the bottom of the cluster 
management form. 


The NetWare Web Manager stores the information about clusters and provides 
the interface for managing the servers in the clusters. It also lets you 


+ Share one or more configuration files between servers of the same type 


+ Create a central place for administering many different Web Services 
servers 


What Are Clusters? 


Clusters are groups of servers that can be administered from a single NetWare 
Web Manager. All servers in a cluster must be of the same type (Web, proxy, 
mail, directory, and so on), and the NetWare Web Manager can store a cluster 
for each type of server. This enables you to have a central NetWare Web 
Manager to administer all of your NetWare Web Services servers. The servers 
can be installed on any computer in a network, but the NetWare Web Manager 
containing the clusters must have access to each of the NetWare Web 
Managers for each of the servers in the cluster, as shown in Figure 4, “Sharing 
Configurations in a Cluster,” on page 28. 


Managing Clusters 27 


Figure 4 Sharing Configurations in a Cluster 






Network 





A cluster of NetWare Web or News 
servers can share a configuration. 
For example, they can all use the 
same access control rules. 


You can use a single Web Manager 
to configure multiple NetWare Web or 
News servers. 





Before Using Clusters 


When you configure a cluster, the NetWare Web Manager containing the 
cluster (the master NetWare Web Manager) communicates with the Web 
Managers for each of the servers in the cluster. Because of this, each Web 
Manager in the cluster must have an administrative user and password that the 
master Web Manager can use to authenticate itself. When you log in to your 
Web Manager and you supply a username and password, that information is 
sent to any remote Web Managers in a cluster, as shown in Figure 5, “Logging 
In with One Password,” on page 29. 


IMPORTANT: We recommend that all clustered services reside on physical 
servers that are in the same NDS tree and context. 
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Figure 5 Logging In with One Password 








User Name: Admin 
Password: Novell 


User Name: Admin 
Password: Novell 










SN 
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User Name: Admin 
Password: Novell 





In order for Web Manager to 
configure multiple NetWare Web or 
News servers, usernames and 
passwords must be identical. 


User Name: Admin 
Password: Novell 





Before you can create a cluster, you must first install all of the servers you 
want to include in the cluster. For example, if you want one NetWare Web 
Manager where you can configure two NetWare Enterprise Web Servers, and 
a NetWare News Server, you first need to install all of the servers (and their 
respective NetWare Web Managers). Then configure one of the NetWare Web 
Managers as the master for the clusters. In this example, you’d have one 
NetWare Web Manager with a cluster containing three Enterprise Web 
Servers. Remember that a cluster must be of the same type. It doesn’t matter 
which NetWare Web Manager you choose as the master. 


The following list offers some guidelines to follow when configuring a 
cluster: 


+ Install the Web Services servers and their respective NetWare Web 
Managers. 


+ Make sure each NetWare Web Manager has a username and password 
that matches one used in the master NetWare Web Manager. If you are 
using an LDAP directory, such as a Netscape Directory Server™, you 
must set up the administrators group first, making sure there is at least one 
user in the directory that will be used for cluster administration. You can 
use the distributed administration feature to set up multiple administrators 
on each NetWare Web Manager. 
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If you change the protocol of one NetWare Web Manager in a cluster, you 
must change the protocols for all NetWare Web Managers, and then you 
need to update the cluster information by modifying the servers in the 
cluster. 


Setting Up a Cluster 


To set up a cluster, first install the servers on the computers you want to 
include in the cluster. Make sure the NetWare Web Managers for each of the 
servers have a username and password that the master NetWare Web Manager 
will use for authentication. You can do this either by using the default 
username and password or by setting up distributed administration. Install the 
server product that will contain the master NetWare Web Manager, making 
sure the username and password matches the one set during installation. 


Adding Clusters to the Server List 


When you add a server to a cluster, you specify its NetWare Web Manager and 
port number. If that NetWare Web Manager contains more than one server, all 
of its servers are added to the cluster. (You can remove the individual servers 
later.) For example, if a remote NetWare Web Manager has a NetWare News 
Server and a NetWare Enterprise Web Server, then both servers are added to 
the cluster in the master NetWare Web Manager. 


If the remote NetWare Web Manager contains a cluster, the servers in the 
remote cluster are not added. The master NetWare Web Manager adds only 
those servers that are physically installed on the remote NetWare Web 
Manager computer; 1t doesn't add servers that might be installed in a cluster 
on the remote NetWare Web Manager. 


To add a server to the cluster list: 
4 Under General Administration, click Cluster Management > Add Server. 


2 In the Web Manager Hostname field, type in the hostname of the server 
you want to add. 


If your DNS can resolve hostnames, you don't need to type the fully 
qualified domain name; otherwise type the full host and domain name. 
For example, type 
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www . company.com 


3 In the Web Manager Port field, type in the port number of the server you 
want to add. 


4 Click OK to add the remote server. 
5 Click Reset to clear all fields if you want start over. 


6 After changing the configuration for a remote server, restart the remote 
server. 


If the server information for the new cluster is correct, the server identifiers 
appear on the form for each server installed on the remote NetWare Web 
Manager. If you have two or more servers on different computers that use the 
same identifier, the form shows the server identifier and the hostname for the 
computer. If both server identifier and hostnames are the same, the form shows 
the port number. If you don't want all of the servers in the cluster, you can 
remove individual servers. Servers in a cluster appear on the form with links 
to their respective Server Manager forms. 


Modifying Cluster Information 


If you change an NetWare Web Manager's hostname, port number, or protocol 
(HTTP or HTTPS), you also need to modify the information about that 
NetWare Web Manager that is stored in the cluster. 


To modify information about a server in a cluster, perform the following: 


4 Under General Administration, click Cluster Management > Modify 
Server. 


2 Click the Product Selector drop-down list > select the type of server you 
want to change. 


All servers of the type you select appear listed by their unique server 
identifier. 


3 Check the servers you want to modify. You can change the information 
for all servers in the cluster by clicking 
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+ Select All to select all the remote servers you have created to the 
cluster 


+ Reset Selection to clear all server options you want to add to your 
cluster 


4 Select the NetWare Web Manager option protocol that the remote 
NetWare Web Manager uses, if it has changed. 


5 If applicable, type the new hostname for the remote NetWare Web 
Manager in the Web Manager Hostname field. 


6 If applicable, type the new port number that the remote NetWare Web 
Manager uses in the Web Manager Port field. 





7 Click OK. 


8 Click Reset to clear all fields if you want start over. 


Removing Servers from a Cluster 


To remove a server from the cluster: 


4 Under General Administration, click Cluster Management > Remove 
Server. The Remove Servers from Cluster Database form will appear. 


2 Under the Product Selector drop-down list, select the type of server you 
want to remove. 


3 Check the servers you want to modify. You can change the information 
for all servers in the cluster by clicking 


+ Select All to select all the remote servers you have created to the 
cluster 


+ Reset Selection to clear all server option you want to add to your 
cluster. 


4 Click OK. 


The form displays a status saying the servers are removed from the cluster 
database and are no longer available for cluster control. You can still 
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access the removed servers using their NetWare Web Manager; you just 
can't access them from the cluster. 


Administering Clusters 


Once you have created remote servers (see “Adding Clusters to the Server 
List” on page 30), perform the following steps to control the clusters under 
your server: 


To administer a cluster: 


4 Under General Administration, click Cluster Management > Cluster 
Control. 


2 Click the Product Selector drop-down list > select the server software 
product you want your servers to run. 


For example, when you select NetWare Enterprise Web Server, a list of 
all installed Enterprise servers appear in the form. The cluster form 
changes to display fields that apply to that server type. 


3 Within Check Servers to Control, check the servers you want, then click 
the button that applies: 


+ Select All to select all the remote servers you have created to the 
cluster. 


+ Reset Selection to reset the servers you want to add to your cluster 
4 Click Start to start all servers. 
5 Click Stop to stop all servers. 
6 Click Restart to restart all servers. 


7 Click View Access to view the logins of all servers > type in the number 
of lines the access log will show. 


The default is 20. 
8 Click View Error to view all server errors. 


9 Click Status to view the status of your cluster servers. 
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User and Group Management 


NetWare® Web Manager lets you manage the users and groups that access the 
services provided by your Web Services servers. Because you manage users 
and groups from the NetWare Web Manager, you use the same interface for 
user and group management regardless of the type of servers or the number of 
servers that you are running at your site. This common management scheme 
provides simplified server administration by letting you maintain a single 
directory of users for all your Web Services. 


This section contains basic information about the differences between using a 

local database, an LDAP directory service, and Novell® Directory Services® 
® 

(NDS”~). 


NOTE: For more information about implementing LDAP with NDS, visit the 
Novell Support Connection Web site (http://support.novell.com). 


The Directory Service 


Under General Administration, the Users & Groups area is actually an 
interface to a directory service. Directory services are a type of software that 
allows you to maintain information, such as contact information or 
identification information for the people in your organization. You use a 
directory service in NetWare Web Manager to store user information, such as 
user IDs, e-mail addresses, and certificates. This information is typically used 
when controlling access to a server. 


You have a choice of the type of directory service you can use with NetWare 
Web Manager: You can use a local directory, an LDAP server, or NDS, which 
is a new option available in NetWare Web Manager. When configured to use 
NDS, users and groups are maintained by NetWare administration utilities. 
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Thus the Users & Groups area of NetWare Web Manager is disabled. 
However, in this mode, all access control comes from NetWare file system 
trustees rights and available NDS usernames and passwords for http 
authentication. 


The Local Directory 


The local directory is bundled with each NetWare Web Manager and provides 
many of the core directory functions available from the directory server. The 
local directory is intended for sites running stand-alone Web Services, such as 
the NetWare Enterprise Web Server or NetWare News Server. 


The local directory has the following limitations when compared to the 
Netscape Directory Server LDAP: 


+ 


The local directory cannot communicate across the network. It does not 
use the LDAP protocol. This means your users cannot use an LDAP client 
to perform directory access. They can, however, access the information 

through NetWare Web Manager. 


The local directory supports no more than 1,000 entries. 


The local directory is slower on lookups than the directory server because 
the local directory does not cache entries. 


The local directory does not perform schema checking. This means that 
the directory will not stop you from using object classes and attributes 
that are unknown to it. 


The local directory does not perform any kind of access control checking; 
however, you can configure access to the directory using NetWare Web 


Manager. 


The local directory cannot be replicated. 


You can use only the following two directory server command-line utilities 
with the local directory. 


+ 


+ 


LDAPSEARCH: Allows you to search the directory 


LDAPMODIFY: Allows you to add, delete, and modify directory entries 
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Netscape Directory Server 


Based on an open-systems server protocol called the Lightweight Directory 
Access Protocol (LDAP), Netscape Directory Server is a versatile, scalable 
server designed to manage an enterprise-wide directory of users and 
resources. Using the directory server, you can manage all of your user 
information from a single source. You can also configure the directory server 
to allow your users to retrieve directory information from multiple, easily 
accessible network locations. 


The use of a directory server to manage your servers’ users and groups is 
recommended for large organizations consisting of up to one million users. 
The directory server is also ideal for organizations spread across physically 
different locations and for organizations where balancing the access load to 
their directory is important. Finally, the directory server is recommended for 
those organizations interested in enhancing directory availability by placing 
their directory services on multiple servers. 


Novell Directory Services 


Novell Directory Services (NDS) is installed with every NetWare 4.x system 
during setup and provides a repository for user and group information that is 
used to control access to NetWare server resources. The NetWare Enterprise 
Web Server provides a native NDS integration mode that allows access to Web 
resources to be protected by native NetWare file system trustee assignments 

and allows users to log in from an HTTP client using their NDS usernames and 
passwords. 


HTTP access to a file or resource in NDS mode is evaluated using NetWare 
file system trustee assignments depending on the http method used. Table 2 on 
page 37 defines the NetWare file system trustees required to grant access to 
Web resources in NDS mode given an HTTP method. 








Table 2 HTTP Methods and Associated Netware Trustee Assignment Requirements 
HTTP Method NetWare Trustee Assignment Required for Access 
GET Read 
PUT Create on parent directory if file is being created, or WRITE if file is being 


replaced 
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HTTP Method 


NetWare Trustee Assignment Required for Access 





MKDIR 


EDIT 


HEAD 


DELETE 


POST 


INDEX 


MOVE 


COPY 


Create 

Write 

File Scan 

Erase 

Read on the CGI executable file 

File Scan 

Erase and Read on source, Create on destination 


Read on source, Create on destination 


When NDS mode is selected 


Use the Novell administration utilities to maintain user and group 
information. 


Users will be required to log in from the Web browser to gain access to 
any Web resources. 


Make sure SSL is enabled if you do not want NDS passwords passed over 
the wire in the clear. 


The NetWare Web Manager’s Users & Groups area is disabled. 


NetWare file system trustees assignments are available exclusively to 
control access to Web resources. 


Web Manager’s Restrict Access area is disabled. 
None of the LDAP command line utilities work natively with NDS. 


NetWare Enterprise Web Server access control lists (ACLs) are disabled. 


HINT: NDS provides an intranet solution that allows access to file system 
resources using a Web browser. NDS mode is not recommended as a 
configuration. 
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Directory Service Clients 


Gateways 


You must use a directory service client to obtain information from and to put 
information into a directory service. If you are using the Netscape Directory 
Server, then any directory client that can use the LDAP protocol can use your 
directory. This is one of the primary differences between a true directory 
service and the local database bundled with NetWare Web Manager: the 
database can communicate only with the local Web Manager, whereas the 
directory server can communicate with any LDAP-capable client. 


NetWare Web Manager is actually a type of directory service client known as 
a gateway. NetWare Web Manager acts as a gateway between the 
communication protocol used by your Web browser (HTML) and the protocol 
used by the directory server (LDAP). Of course, if you are using the local 
database, then the gateway skips the LDAP protocol and accesses the local 
database directly. 


When you first install NetWare Web Manager, you must configure your server 
to communicate either with the local directory or with the directory server. If 
you use a directory server, you need to make sure it has at least one user 
account that NetWare Web Manager can access. This is usually the 
administrator. Beyond that, you’ll experience no difference when using the 
Users & Groups forms. 


For help using the Users & Groups forms, click the Help button at the bottom 
of any of the Users & Groups forms found in NetWare Web Manager. 


Command-Line Clients 


Both the directory server and the local directory offer command-line utilities 
that allow you to search the directory and perform directory modifications 
from the command line. This allows you to create custom shell scripts or batch 
files to perform routine, automated tasks on your directory. 


The local directory provides two tools for your use: ldapmodify and 
ldapsearch. These are actually identical to the ldapmodify and Idapsearch 
command-line tools shipped with the directory server, except that the -C 
option has been added so that they can work with the local directory. Netscape 


Userand Group Management 39 


Directory Server provides many command-line tools to help you administer 
and maintain your directory. NetWare Administrator provides the NDS to 
maintain the directory. The NetWare Administrator and RIGHTS.EXE 
maintain file system trustees. 


For more information on the LDAPMODIFY and LDAPSEARCH command- 
line tools bundled with NetWare Web Manager, see“Finding Directory 
Entries” on page 87 and “Modifying the Directory” on page 73. 


Authenticating Users to Directory Services 


Anytime you perform an operation on a directory service, you must identify 
yourself to the service. This identification process is known as authentication. 
You can also think of this process as logging into the directory service. 


Authentication allows a directory service to know if you have sufficient 
permissions to perform operations in the directory. Examples of directory 
operations are 

¢ Searching the directory 

+ Adding entries (such as users and groups) to the directory 

+ Deleting entries from the directory 

+ Modifying entries in the directory 
Usually authentication is not required if all you want to do is search the 
directory. When you access a directory without providing authentication 
credentials, you are performing anonymous access. 
When you log in to NetWare Web Manager, the username and password that 
you provide are automatically used by the Users & Groups forms when they 


communicate with a directory server. 


IMPORTANT: If you need to change your administrator password, make sure 
you change it in the directory server before you change it in NetWare Web 
Manager. 
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Distinguished Names 


A distinguished name (DN) is the string representation for the name of an 
entry in a directory server or in a local directory. You use DNs when naming 
entries using the LDAP Data Interchange Format (LDIF) and the LDAP 
command-line clients, and when configuring the directory server and so forth. 


Traditionally, a DN consists of the following items, in this order: 
+ Common name or a user ID 
+ List of regional or organizational attributes 
+ Country designation 


This string of identifying attributes uniquely locates the entry within your 
directory. If you choose, you can also use this naming structure to uniquely 
identify your entries within the global directory tree as defined in the X.500 
standard. 


Distinguished Name Syntax 


The traditional syntax for a DN string representation is the following: 


cn=common name, street=address, l=locality, st=state or 
province, ou=organizational unit, o=organization, 
c=country name 


A DN can consist of virtually any attributes you want to use. However, if you 
are using the LDAP server and schema checking is turned on, then the 
attributes must be recognized by the directory server, and the attribute must be 
allowed by the entry’s object classes. 


For more information on object classes and attributes, and your directory 
server’s schema, visit the Knowledgebase on the Novell Support Connection 
Web site (http://support.novell.com). 


Generally, however, a DN begins with a specific common name and gives 
increasingly broader areas of identification, ending with the country name. 
However, the DN attributes you use and the order in which you organize them 
is up to you. The only requirement is that DN attributes must be separated by 
a comma and can optionally use a space following the separator. 
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Using UID-Based Distinguished Names 


One common variation on the traditional distinguished name identified here is 
to use a user ID (UID) in the place of a common name (CN). Because user IDs 
are typically unique values across an enterprise, basing your distinguished 
name on user IDs allows you to avoid CN collision problems caused by people 
who share the same name. By default, NetWare Web Manager uses CN-based 
distinguished names, but you can change this behavior so that it creates UID- 
based distinguished names instead. You do this by editing the file 


server_root/ADMIN-SERV/CONFIG/DSGW-ORGPERSON.CONF 


and setting the useUidForDN variable to true. 


Distinguished Name Usage 


Once you have organized your directory structure, you must always specify 

the DN attributes in the same order because a DN represents a path through 

the directory tree. For example, the following DNs do not represent the same 

entry: 

cn=Ralph Swenson, ou=Accounting, o=Ace Industry, c=US 
cn=Ralph Swenson, o=Ace Industry, ou=Accounting, c=US 


Also, distinguished names representing branch points in the directory do not 
typically begin with a common name value. Rather, they usually begin with 
some sub-element in the directory path. For example, if your directory 
contained entries of the form 

cn=name, ou=Marketing, o=Ace Industry, c=US 


then your directory would also contain the entries, 
o=Ace Industry, c=USou=Marketing, o=Ace Industry, c=US 


These two entries must appear in the directory before the entries represented 
by a common name can appear. 


Distinguished Name Examples 


The following are some examples of distinguished names: 
cn=Wally Henderson, ou=Product Development,o=Bait and Tackle 
Inc, st=Minnesota,c=US 
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cn=Ashley Sweeny, ou=Product Test, o=Bait and Tackle Inc, 
st=Michigan, c=US 

cn=printer3b, l=room 308, o=Acme Programming Ltd, 
c=USDistinguished name attributes 


The various standard attributes that comprise a DN are in the following table: 





Attribute Name Definition 





c Country Identifies the name of 
the country under which 
the entry resides. Must 
be the two-letter country 
code, for example, 
c=USc=GB 


cn Common Name Identifies the person or 
object defined by the 
entry, for example, 
cn=Wally Hendersoncn 
= Database 
Administratorscn= 
printer3b 


uid User ld Identifies the person or 
object defined by the 
entry. DNs based on 
UlDs are often preferred 
over CN-based DNs 
because they avoid 
duplicated distinguished 
names caused by 
people who share the 
same name. 


l Locality Identifies the locality in 
which the entry resides. 
The locality could be a 
city, county, township, or 
other geographic 
region, for example, 
l=Tucson or l=Pacific 
Northwest. 
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Attribute Name Definition 





o Organization Identifies the 
organization in which 
the entry resides, for 
example, o=Novell Inc, 
or o=Public Power & 
Gas. 


ou Organizational Unit Identifies a unit within 
the organization, for 
example, ou=Sales, or 
ou=Manufacturing. 


st State or province name Identifies the state or 
province in which the 
entry resides, for 
example, st=lowa, or 
st=British Columbia. 


street Street address Identifies the street 
address at which the 
entry resides, for 
example, street=494 
Rice Creek Terrace. 





Using Commas in Distinguished Names 


If a distinguished name contains a comma, then the part of the name that uses 
the comma must also be enclosed in double-quotation marks. For example, to 
include the string Ace Industry, Corp in your distinguished name, type it as 
follows: 

o="Ace Industry, Corp”, c=US 


Planning Your Directory Structure 


Directories are usually organized in a tree-like structure. The top of the tree is 
known as the root. 


A typica tree has several branch points below the root. These branch points 
usually represent major organizational units within the larger organization. 
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For more information about trees, visit the Novell Documentation Web site 
(http://www.novell.com/documentation). 


The following sections discuss the pros and cons of creating subdivisions 
within your directory. 


Disadvantages of Organizational Units 


Be aware that the flatter the structure of a directory, the easier your directory 
1s to manage. The following are some of the reasons: 


+ Moving directory entries from one organizational unit to another involves 
deleting the entry from the original organizational unit and recreating it 
under the new organizational unit. 


+ To delete or rename organizational units, you must delete every entry 
from beneath the organizational unit, rename or delete the unit, and then 
recreate all of the deleted entries in another part of the directory tree. 
Because this task is tedious, you should be careful about creating 
organizational units in your directory tree if your company tends to 
reorganize frequently. 


If you are using Netscape Directory Server, then you can create tools to 
perform these tasks, either by using shell scripts or batch files to call the 
appropriate command-line utilities or by writing programs that make use of 
the Netscape Directory Server client SDK. 


Advantages of Organizational Units 


A directory tree with many subdivisions has many advantages. An obvious 
one is that you can easily search for everyone who works for a specific 
organization. If you are using a directory server, there are several other 
benefits to a subdivided directory. 


¢ If you are using replication, then you can manage sub-trees on servers 
local to the organizations that they represent. This allows for local control 


of organizational information. 


+ You can also replicate specific sub-trees to other directory servers. If you 
have certain entries that you want other organizations to view and other 
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entries that you want to remain private, then you can easily provide access 
to the public entries by replicating them to a public directory server. This 
strategy is especially useful if you want to make some information 
available outside of a firewall, while making other information available 
only inside the firewall. 


+ Even if replication is not in use, you can easily restrict or allow access to 
entries representative of an organization if they are logically organized 
together in the directory tree. 


For information on replication and directory access control, see Controlling 
Access to Your Server in the NetWare Enterprise Web Server Administration 
Guide. 


Recommendations for Using Organizational Units 


A flat directory structure is the easiest to administer, but not necessarily the 
easiest to use. You should therefore consider the following when planning 
your directory: 


+ Use a directory structure that is subdivided along the lines of the major 
functional activities in your organization. These subdivisions can 
represent actual division names but refrain from using these names if your 
organization tends to frequently reorganize. 


+ If you work for an organization that frequently reorganizes or if your 
organization is young and still growing, then use generic names to 
represent major activities. For example, if your company has the 
following organizations: 


+ Product Marketing for Product 1 


+ 


Product Marketing for Product 2 


+ 


Product Development and Documentation for Product 1 


+ 


Product Development and Documentation for Product 2 


+ 


Product Sales-East Coast 
+ Product Sales-West Coast 


then try to use generic divisions within your directory, such as the 
following: 
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+ Marketing 
+ Development 


+ Sales 


+ Consider geographic divisions as an alternative to organizational 
divisions, especially if your organization has major geographic points of 
activity. For example, if you have business offices in several cities, 
consider using branch points based on the city names. 


¢ Try not to divide your directory down to the smallest business unit or 
department name. This detailed level of division creates maintenance 
difficulties. For the same reason, try to avoid branching your directory to 
more than two or three levels deep. 


Configuring Directory Services 


To organize your users and groups, you can choose the local directory, LDAP 
server, or NDS modes. When you first install NetWare Web Manager, you 
configure the server to use either the local directory or a directory server. NDS 
is selected by default. 


You can change this configuration after NetWare Web Manager is installed. 
The following sections describe how to configure NetWare Web Manager to 


use these three directory services. 


IMPORTANT: Regardless of which directory service you choose to use, 
access to NetWare Web Manager is still handled by NDS. If you choose LDAP 
or local directory modes, you will be required to enter a fully distinguished 
name as the user name, when prompted. 


Using the Local Directory 
To configure a local directory: 


4 Under General Administration, click Global Settings > Configure 
Directory Service. 


2 Select Local Database. 
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A dialog box appears to warn you that you will lose your directory service 
configuration information. 


3 Click OK. 


4 In the Base DN field, type the distinguished name that will be used as a 
suffix for your local directory and also as the point from which directory 
lookups will occur by default. 


An example of a suffix that you could enter here is 
o=your company name, c=US 


If you do not enter a value in this field, then your suffix will be a null 
string, and all searches will begin from the top or root point of the 
directory. 


5 Click Save Changes. 


Using the LDAP Server 


IMPORTANT: Before switching to NDS mode, you must first enable 
unencrypted passwords by opening the properties of your LDAP Server object 
using NetWare Administrator. 


To configure the LDAP server: 


4 Under General Administration, click Global Setting > Configure 
Directory Service. 


2 Click LDAP Directory Server. 


A dialog box appears to confirm that you want to use a Directory Server. 
3 Click OK. 


4 In the Host Name field, type the hostname where the directory server is 
running. 


You must enter a hostname even if the directory server is running on the 
local machine. 


5 In the Port field, type the default number if your directory server is using 
a different port number than the default port number 389. 
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If you are going to use SSL communications with a directory server, then 
you should enter the port number that the directory server is using for SSL 
communications. By default, this is port number 636. 


In the Base DN field, type the distinguished name that will be the point 
from which directory lookups will occur by default and will be the 
location where all NetWare Web Manager”s entries will be placed in your 
directory tree. 


An example of a base DN that you could enter here is 
O=your company name, c=US 


In the Bind DN field, type the bind DN that NetWare Web Manager will 
use to initially bind (or log in) to the directory server. 


This bind DN only requires Read and Search access to the directory. 
Because this DN and the associated password (if any) is easily 
compromised, it is best to simply leave this field blank and then set up 
your directory server to allow anonymous search access. If you do not 
want to allow anonymous search access to your directory, then specify a 
bind DN entry here that only has Read and Search access to your 
directory. 


IMPORTANT: Do not specify your directory server’s unrestricted user 
(Root DN) in this field. This bind DN is used only to initially search for 
the username you typed in NetWare Web Manager authentication 
dialog box. Once the entry corresponding to this username is located, 
NetWare Web Manager rebinds to the directory server using the 
retrieved entry. Therefore, if the username you supplied when you first 
logged into NetWare Web Manager does not have access to the 
directory server, you will not have any access to the directory server, 
regardless of the bind DN information provided in this field.For more 
information on how NetWare Web Manager binds to the directory 
server, see “NetWare Web Manager Basics” on page 13. 


In the Bind Password field, type the password for the bind DN entry, if 
you have entered a bind DN in the previous field. 


Click Save Changes. 
IMPORTANT: If you change directory service from a local file to a 


directory server and visa-versa, you need to restart all Web Services 
servers, including NetWare Web Manager. 
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Using Novell Directory Services 
To configure the NetWare Enterprise Web Server to use NDS®: 


4 Under General Administration, click Global Settings > Configure 
Directory Service. 


2 Select Novell Directory Services. 


A dialog box appears to confirm that you want to use NDS. 
3 Click OK. 
4 Click Insert Context to add a new search context. 
5 Click Remove Context to remove one or more search contexts. 


6 Click Float Context to move the selected context to a higher priority 
context. 


7 Click Save Changes. 


If you change directory service from a local or remote LDAP directory to 
NDS, you need to restart all Web Services servers. NetWare Web Manager 
does not need to be restarted because its configuration is dynamically updated 
to refer to the NDS operation mode. 


HINT: NDS does not allow public access to files. All users must be 
authenticated before receiving any content. 
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Configuring Users and Groups 


This section describes how to use the forms in the general administration 
Users & Groups area. This section covers creating and managing users, 
groups, and organizational units; importing a directory from LDAP Data 
Interchange Format (LDIF); and exporting a database to LDIF. 


HINT: If you are using Novell® Directory Services® (NDS®) mode, you can use 
the NetWare“ administration tools to manage users and groups, or you can 
now use NetWare Web Manager. 


Creating Users 


To create a user entry within the directory: 


4 Under General Administration, click Users & Groups > organization > 
New User. 


2 In the appropriate fields, type the requested information. At a minimum, 
you must specify the user’s 


+ Surname 
+ User ID 


HINT: The user ID is generated as the first initial of the user’s first 
name followed by the user’s last name. You can replace this user ID 
with an ID of your own choice if you want. 


The user ID must be unique. NetWare Web Manager ensures that the 
user ID is unique by searching the entire directory from the search 
base (base DN) down to see if the user ID is in use. Be aware, 
however, that if you use the ldapmodify command-line utility to create 
a user, it does not ensure unique user IDs. If duplicate user IDs exist 
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in your directory, the effected users will not be able to authenticate to 
the directory. 


3 Click Create User to add a user. 


4 Click Create and Edit User to add a user and then proceed to the Edit User 
form for the user you have just added. 


For information on editing users, see “Managing Users” on page 53. 


Additional Information about User Entries 


The following information may be of interest to the directory administrator 
concerning creating user entries: 


+ User entries use the inetOrgPerson, organizationalPerson, and person 
object classes. For more information on how these are used, search the 
Novell Support Connection Web site at (http://support.novell.com). 


+ By default, the distinguished name for users is as follows: 
cn=full name, ou=organization, ...,o=base organization, 
c=country 


For example, if a user entry for Sam Warden is created within the 
organizational unit Engineering, and the directory's suffix is o=Ace 
Industry, c=US, then the person's DN is 


cn=Pamela Jensen, ou=Engineering, o=Ace Industry, c=US 





However, you can change this format to a UID-based distinguised name. 
For information on how to set this default, see “Distinguished Name 
Syntax” on page 41. 


¢ Suffixes are optional if you are using the local directory. If you did not 
configure a suffix for your local directory, then you literally use the string 


““* (quote quote) to represent the search base on calls to ldapsearch. 


+ The values on the user form fields are stored as the following LDAP 





attributes: 
User Field Corresponding LDAP Attribute 
Given Name givenName 
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User Field Corresponding LDAP Attribute 





Surname sn 

Full Name cn 

User ID uid 

Password userPassword 
E-Mail Address mail 





The following fields are also available when editing the user entry: 








User Field Corresponding LDAP Attribute 
Title title 
Telephone telephoneNumber 





Managing Users 


You edit user attributes from the Manage Users form. From this form you can 

¢ Find user entries 

+ Change user attribute values 

+ Change the user's password 

+ Manage the user's licenses 

+ Rename the user's entry 

+ Delete the user's entry 

+ Change some, but not all, product-specific information. Web Services 
servers add additional forms to this area that allow you to manage 
product-specific information. For example, if a News Server is installed 
under NetWare Web Manager, then an additional form is added that 


allows you to edit News Server-specific information. See NetWare News 
Server Administration Guide for more details. 
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The following sections describe these activities in detail. 


For more information regarding user entries when using a directory server, see 
“Additional Information about User Entries” on page 52. 


Finding User Entries 


Before you can edit a user entry, you must display the entry. 


To find an entry if running LDAP or Local Directory modes: 


4 Under General Administration, click Users & Groups > Manage Users. 


2 In the Find User field, type some descriptive value for the entry that you 
want to edit. You can enter any of the following in the search field: 


+ 


+ 


A name: Type a full name or a partial name. 
A user ID. 
A telephone number. 


An e-mail address: Any search string containing an at (@) symbol is 
assumed to be an e-mail address. 


An asterisk (*): Type an asterisk to see all of the entries currently in 
your directory. You can achieve the same effect by simply leaving the 
field blank. 


Any LDAP search filter: Type a search filter to see any string that 
contains an equal sign (=) that is considered a search filter. 


3 In the Format field, select either On-Screen or Printer. 


4 Click Find. 


5 In the resulting table, click the name of the entry that you want to edit. 


The user edit form is displayed. 


6 Change the displayed fields as desired. 


7 Click Save Changes. 
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The Find All Users Whose Field 


This field allows you to build a custom search filter. Use this field to narrow 
down the search results returned by Find User. 


Find All Users Whose provides the following search criteria: 


1. The left drop-down list allows you to specify the attribute on which the 
search will be based. 


The options include the following: 
+ Full Name 
+ Last Name 
+ User ID 
+ Phone Number 
+ E-Mail Address 
2. The center drop-down list allows you to select the type of search you want 
to perform. 
The options include the following: 


+ Contains: Entries with attribute values containing the specified 
search string are returned. 


¢ Is: Use this option when you know the exact value of an user's 
attribute. 


¢ Isn't: Returns all the entries whose attribute value does not exactly 
match the search string. For example, if you want to find all the users 
in the directory whose names are not "Sam Warren," use this option. 


IMPORTANT: Use of this option can cause an extremely large 
number of entries to be returned to you. 


+ Sounds Like: Causes an approximate, or phonetic, search to be 
performed. Use this option if you know an attribute's value, but you 
are unsure of the spelling. For example, if you are not sure if a user's 
name is spelled Sarret, Sarette, or Sarett, use this option. 


+ Starts With: Returns all the entries whose attribute value starts with 
the specified search string. 
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+ Ends With: Returns all the entries whose attribute value ends with the 
specified search string. 


3. In the right-most text field, type your search string. 


Editing User Information 
To change a user's entry: 
4 Under General Administration, click Users & Groups > Manage Users. 


2 Find the user entry you want. 


See “Finding User Entries” on page 54 for more information. 
3 Edit the field corresponding to the attribute that you wish to change. 


4 Click Save Changes. 


HINT: You might want to change an attribute value that is not displayed by the 
edit user form. In this situation, use the Idapmodify command-line utility. 


You can change the user’s first, last, and full name field from this form, but to 
fully rename the entry (including the entry’s distinguished name), you need to 
use the Rename User form. For more information on how to rename an entry, 
see “Renaming Users” on page 57. 


Managing a User’s Password 


The password you set for user entries is used by the various Web Services for 
user authentication. 


To change or create a user's password: 
4 Under General Administration, click Users & Groups > Manage Users. 


2 Find the user entry you want. 


See “Finding User Entries” on page 54 for more information. 


3 Click Password at the top of the User Edit form. 
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4 Type the new password > type the confirmation password. 

5 Click Set Password. 

6 Click General to return to general user information. 
You can also disable the user's password by clicking Disable Password. Doing 
this prevents the user from logging into a Web Services server without 


deleting the user's directory entry. You can reinstate the password by using the 
Password Management form to enter a new password. 


Managing User Licenses 
To track which Web Services your users are licensed to use: 
41 Under General Administration, click Users & Groups > Manage Users. 
2 Click Licenses at the top of the User Edit form. 
3 Check next to the Web Services that you want the user to be able to use. 
4 Click Save Changes. 
5 Click General to return to general user information. 


HINT: Currently Web Services do not enforce these licenses. 


Renaming Users 
To rename a user entry: 
4 Under General Administration, click Users & Groups > Manage Users. 


2 Select the user entry you want. 


See Finding User Entries for more information. 
3 Click Rename User. 


4 Type the new name. 
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If you are using common name-based DNs, specify the user’s full name. 
If you are using UID-based distinguished names, enter the new UID value 
that you want to use for the entry. 


5 Type the modified given name, surname, full name, or UID in the 
applicable fields as is appropriate to match the new distinguished name 
for the entry. 


If you are using common name-based distinguished names, and you 
change the distinguished name to use a new common name, then you 
should make sure that this new common name is listed as the first choice 
in the list of full names. This ensures that the appropriate name is 
displayed when a list showing this entry is generated. 


HINT: The rename feature changes only the user's name; all other 
fields are left intact. In addition, the user's old name is still preserved 
so searches against the old name will still find the new entry. 


When you rename a user entry, you can only change the user’s name; you 
cannot use the rename feature to move the entry from one organizational 
unit to another. For example, suppose you have 


+ Organizational units for Marketing and Accounting 


+ An entry named James Warren under the Marketing organizational 
unit 


You can rename the entry from James Warren to Jim Warren, but you 
cannot rename the entry such that James Warren under the Marketing 
organizational unit becomes James Warren under the Accounting 
organizational unit. 


6 To return to the general information form, click General. 


Removing Users 
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To delete a user entry: 
41 Under General Administration, click Users & Groups > Manage Users. 


2 Find the user entry you want. 


See “Finding User Entries” on page 54 for more information. 
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3 Click Delete User > OK. 


Creating Groups 


To create a group entry within the directory: 
4 Under General Administration, click Users & Groups > New Group. 


2 In the Group Name field, type the group's name. 


You can optionally add a description for the group in the Description 
field. 


3 Click Create Group to add the group and immediately return to the New 
Group form. 


4 Click Create and Edit Group to add the group and then proceed to the Edit 
Group form for the group you have just added. 


For information on editing groups, see “Editing Group Attributes” on 
page 61. 


Managing Groups 
You edit groups and manage group memberships from the Group Edit form. 
From this form you can 
+ Find groups 
+ Change group attributes 
+ Add and delete owners of the group 
+ Add and delete see also information 
+ Add and delete members of the group 
+ Rename the group 


+ Delete the group 
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+ Change the group's description. 


The following sections describe these activities in detail. 


Finding Group Entries 
To find group entries: 
4 Under General Administration, click Users & Groups > Manage Groups. 


2 In the Find Group field, type the name of the group that you want to find. 
You can enter any of the following in the search field: 
+ A name: Type a full name or a partial name. 


+ An asterisk (*): Type to see all of the groups currently residing in 
your directory. 


+ Any LDAP search filter: Type to see any string that contains an equal 
sign (=) that is considered to be a search filter. 


3 In the Format field, select either On-Screen or Printer. 

4 Click Find. 

5 In the resulting table, click the name of the entry you want to edit. 
The Find All Groups Whose Field 


This field allows you to build a custom search filter. Use this field to narrow 
down the search results. 


Find All Groups Whose provides the following search criteria: 


1. The left drop-down list allows you to specify the attribute on which the 
search is based. 


The options are 
+ Full Name 


+ Description 
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2. In the middle drop-down list, select the type of search you want to 
perform. 


The options include the following: 


+ Contains: Entries with attribute values containing the specified 
search string are returned. 


+ 


Is: Use this option when you know the exact value of a group’s 
attribute. 


+ Isn't: Returns all the entries whose attribute value does not exactly 
match the search string. If you want to find all the groups in the 
directory whose names do not contain “administrator,” use this 
option. 


+ 


Sounds Like: Causes an approximate, or phonetic, search to be 
performed. Use this option if you know an attribute’s value, but you 
are unsure of the spelling. For example, if you are not sure if a 
group’s name is spelled Sarret's list, Sarette’s list, or Sarett’s list, use 
this option.s 


+ 


Starts with: Returns all the entries whose attribute value start with the 
specified search string. 


+ 


Ends with: Returns all the entries whose attribute values end with the 
specified search string. 


3. In the right text field, type your search string. 


For more information on how to find a group entry, see “Finding Group 
Entries” on page 60. 


Editing Group Attributes 
To change a group entry: 
4 Under General Administration, click Users & Groups > Manage Groups. 


2 Find the group you want to edit. 


See “Finding Group Entries” on page 60 for more information. 


3 In the Group Edit form, change the displayed fields as desired. 
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4 Click Save Changes. 


HINT: To change an attribute value that is not displayed by the group 
edit form, use the Idapmodify command-line utility. 


Adding Group Members 


To add members to the group 


4 Under General Administration, click Users & Groups > Manage Groups. 


2 Find the group you want to edit. 


See “Finding Group Entries” on page 60 for more information. 


3 Click Edit under Group Members. 


A new form is displayed that allows you to search for entries. If you want 
to add user entries to the list, make sure Users is shown in the Find drop- 
down list. If you want to add group entries to the group, make sure Group 
1s shown. 


4 In the right-most text field, type a search string. 


Type any of the following: 


+ 


+ 


A name: Type a full name or a partial name. 
A user ID: Use if you are searching for user entries. 
A telephone number 


An e-mail address: Any search string containing an at (@) symbol is 
assumed to be an e-mail address. 


An asterisk (*): Type an asterisk to see all of the entries or groups 
currently residing in your directory. 


Any LDAP search filter: Type a search filter to see any string that 
contains an equal sign (=) is considered to be a search filter. 


5 Click Find and Add to find all the matching entries and add them to the 
group. 
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If the search returns any entries that you do not want add to the group, 
check the box in the Remove from List column. You can also construct a 
search filter to match the entries you want removed and then click Find 
and Remove. 


6 When the list of group members is complete, click Save Changes. 


Adding Groups to the Group Members List 
You can add groups (instead of individual members) to the group’s members 
list. Doing so causes any users belonging to the included group to become a 
member of the receiving group. For example, if Sam Warren is a member of 
the Marketing Managers group, and you make the Marketing Managers group 
a member of the Marketing Personnel group, then Sam Warren is also a 


member of the Marketing Personnel group. 


To add a group to the members list of another group, add the group as if it were 
a user entry. See “Adding Group Members” on page 62 for more information. 


Removing Entries from the Group Members List 
To delete an entry from the group members list: 
4 Under General Administration, click Users & Groups > Manage Groups. 


2 Find the group you want to edit. 


See “Finding Group Entries” on page 60 for more information. 
3 Click Edit under Group Members. 


4 For each member that you want to remove from the list, check the 
corresponding box under the Remove from List column. 


5 Click Save Changes. 
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Managing Owners 
You manage a group’s owners list the same way as you manage the group 
members list. The following table shows you which section to read for more 


information. 


If you want to Use the steps in 





Add owners to the group “Adding Group Members” on page 62 


Add groups to the owners “Adding Groups to the Group Members List” on page 63 
list 


Remove entries from the “Removing Entries from the Group Members List” on page 63 
owners list 


Managing See Alsos 
See Alsos are references to other directory entries that may be relevant to the 
current group. They allow users to easily find entries for people and other 


groups that are related to the current group. 


You manage see alsos the same way as you manage the group members list. 
The following table shows you which section to read for more information. 


If you want to Use the steps in 





Add users to see alsos “Adding Group Members” on page 62 
Add groups to see alsos “Adding Groups to the Group Members List” on page 63 


Remove entries fromsee “Removing Entries from the Group Members List” on page 63 
alsos 


Removing Groups 
To delete a group: 
4 Under General Administration, click Users & Groups > Manage Groups. 


2 Find the group you want to delete. 
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See “Finding Group Entries” on page 60 for more information. 


3 Click Delete Group > OK. 


Renaming Groups 
To rename a group: 
41 Under General Administration, click Users & Groups > Manage Groups. 


2 Find the group you want to edit. 
See “Finding Group Entries” on page 60 for more information. 
3 Click Rename Group. 
4 Type the new group name. 
When you rename a group entry, you only change the group’s name; you 
cannot use the Rename feature to move the entry from one organizational unit 
to another. For example, suppose you have 


+ Organizational units for Marketing and Engineering 


+ A group named Research and Development under the Engineering 
organizational unit. 


You can rename the group from Research and Development to Development 
and Research, but you cannot rename the entry such that Research and 


Development under the Engineering organizational unit becomes Research 
and Development under the Marketing organizational unit. 


Creating Organizational Units 


To create an organizational unit: 


41 Under General Administration, click Users & Groups > New 
Organizational Unit. 


2 Inthe Unit Name field, type the name of the organizational unit. 
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3 In the optional Description field, you can type a description of the unit. 


4 Click Create Organizational Unit. 


Additional Information about Organizational Units 
The following information may be of interest to the directory administrator: 


+ New organizational units are created using the organizationalUnit object 
class. 


+ The distinguished name for new organizational units is of the form: 
ou=new organization, ou=parent organization, ...,o=base 
organization, c=country 


For example, if you create a new organization called Accounting within 
the organizational unit West Coast, and your Base DN is o=Ace Industry, 
c=US, then the new organization unit's DN is 

ou=Accounting, ou=West Coast, o=Ace Industry, c=US 


Managing Organizational Units 


+ Find organizational units 

+ Remove organizational units 

¢ Edit organizational unit attributes 
+ Rename organizational units 


+ Delete organizational units 


Finding Organizational Units 
To find organizational units 


4 Under General Administration, click Users & Groups > Manage 
Organizational Units. 
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2 In the Find Organizational Unit field, type the name of the unit you want 
to find. You can enter any of the following in the search field: 


+ A name: Type a full name or a partial name. 


+ An asterisk (*): Type to see all of the groups currently residing in 
your directory. 


+ Any LDAP search filter: Type to see any string that contains an equal 
sign (=) is considered to be a search filter. 


3 In the Format field, select either On-Screen or Printer. 

4 Click Find. 

5 Click the name of the organizational unit that you want to find. 
The Find All Units Whose Field 


This field allows you to build a custom search filter. Use this field to narrow 
down the search results that are otherwise returned by Find organizational 
unit. 


Find All Units Whose provides the following search criteria: 


1. The left drop-down list allows you to specify the attribute on which the 
search will be based. 


The options include the following: 
+ Unit name 


+ Description 


2. In the center drop-down list, select the type of search you want to 
perform. 


The options include the following: 


+ Contains: Entries with attribute values containing the specified 
search string are returned. 


+ Is: Returns the exact value of an organizational unit's attribute. 


¢ Isn't: Returns all the entries whose attribute value does not exactly 
match the search string. If you want to find all the organizational 
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units in the directory whose name does not contain "Marketing," use 
this option. 


+ Sounds Like: Causes an approximate, or phonetic, search to be 
performed. Use this option if you know an attribute's value, but you 
are unsure of the spelling. 


+ Starts With: Returns all the entries whose attribute value starts with 
the specified search string. 


+ Ends With: Returns all the entries whose attribute value ends with the 
specified search string. 


3. In the right text field, type your search string. 


For more information on how to find an organizational unit entry, see 
“Finding Organizational Units” on page 66. 


Editing Organizational Unit Attributes 
To change an organizational unit entry: 


4 Under General Administration, click Users & Groups > Manage 
Organizational Units. 


2 Find the organizational unit you want to edit. 


See “Finding Organizational Units” on page 66 for more information. 


3 In the organizational unit edit form, change the displayed fields as 
desired. 


4 Click Save Changes. 


HINT: It is possible that you will want to change an attribute value that is not 
displayed by the organizational unit edit form. In this situation, use the 
Idapmodify command-line utility. 
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Renaming Organizational Units 
To rename an organizational unit entry: 


1 Make sure no other entries exist in the directory under the organizational 
unit that you want to rename. 


2 Under General Administration, click Users & Groups > Manage 
Organizational Units. 


3 Find the organizational unit you want to edit. 
See “Finding Organizational Units” on page 66 for more information. 
4 Click Rename. 
5 Type the new organizational unit name. 
When you rename an organizational unit entry, you can only change the 
organizational unit's name; you cannot use the Rename feature to move the 
entry from one organizational unit to another. For example, suppose you have 


+ Organizational units for Marketing and Engineering 


+ An organizational unit called User Research under the Marketing 
organizational unit 


You can rename the entry from User Research to User Validation, but you 
cannot rename the entry such that User Research under the Marketing 


organizational unit becomes User Research under the Engineering 
organizational unit. 


Deleting Organizational Units 
To delete an organizational unit entry: 


1 Make sure no other entries exist in the directory under the organizational 
unit that you want to rename. 


2 Under General Administration, click Users & Groups > Manage 
Organizational Units. 
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3 Find the organizational unit you want to delete. 


See “Finding Organizational Units” on page 66 for more information. 


4 Click Delete > OK. 


Importing a Directory from LDIF 


If you do not currently have a directory or if you want to add a new sub-tree 
to an existing directory, you can use the Users and Groups import function. 
This function accepts a file containing LDAP Data Interchange Format 
(LDIF) and attempts to build a directory or a new sub-tree from the LDIF 
entries. 


If you are using the local directory, the import function will optionally 
overwrite any existing directories. If you are using a directory server and you 
attempt to import an entry that already exists, then that operation will fail. 


To merge LDIF formatted entries into an existing directory (either for a local 
directory or for directory server), it is best to convert the LDIF to LDIF update 
statements and use ldapmodify to perform the merge. 


To create an new directory or sub-tree: 
4 Under General Administration, click Users & Groups > Import. 


2 Inthe Import from LDIF File field, type the full pathname to the LDIF 
file containing the entries you want to add to your directory. 


3 Check Stop On Errors if you want the import to fail completely if any 
single add operation fails. 


4 If you are using the local directory, check Erase Existing Database if you 
want your existing database to be erased when a new directory is 
imported from LDIF. 


If Erase Existing Database is not checked, then the import function will 
attempt to add the contents of the LDIF file to the existing directory. 
However, if the import function attempts to add an entry to the directory 
that already exists, an error is returned. Whether the import function 
continues or stops immediately is dependent on whether Stop On Errors 
is checked. 
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5 Click Begin Import. 


Exporting a Directory to LDIF 


You can export your current directory to LDIF using the Users and Groups 
export function. This function creates an LDIF-formatted file that represents 
your directory. 


To export your directory to an LDIF file: 
4 Under General Administration, click Users & Groups > Export. 


2 In the Export to LDIF File field, type the full pathname to the file in which 
you want the LDIF to be placed. 


Note that if you do not enter a full pathname, the file is placed in 
NSHOME\DB\LDAP\TOOLS, where NSHOME is NetWare Web 
Manager's installation root directory. 


3 If you are exporting a local directory to the directory server, specify a 
suffix in the Suffix to Add field. 


The suffix you specify must match at least one of the suffixes configured 
for your directory server. 


4 Click OK. 
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Idapmodify 


Modifying the Directory 


You can modify directory entries using either the Users & Groups area of 
NetWare® Web Manager, which provides you with only essential 
modification capabilities, or you can use the ldapmodify command-line tool 
for more complex modifications that involve a wider range of attributes and 
attribute values. 


You use ldapmodify to add, delete, or modify entries in your directory. It can 
be used either with the directory server or with a local directory that is bundled 
with NetWare Web Manager. 


You direct Idapmodify’s actions through LDAP Data Interchange Format 
(LDIF) update statements. 


You can find ldapmodify at the following location under NetWare Web 
Manager: 


NOVONYX\SUITESPOT\USERDB\LDAP\TOOLS\ 


LDIF Update Statements 


You use LDIF update statements to define how ldapmodify should change 
your directory. In general, LDIF update statements are a series of statements 
that 


+ Specify the distinguished name of the entry to be modified. 
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+ Specify a change type that defines how a specific entry is to be modified 
(add, delete, modify, or modrdn). Note that a change type is required 
unless you specify the -a option. If you specify the -a option, then an add 
operation (CHANGETYPE: ADD) is assumed. However, any other 
change type will override the -a option. 


If you specify a modify operation (changetype: modify), a change 
operation is required that indicates how the entry should be changed. 


If you specify CHANGETYPE: MODRDN, change operations are 
required that specify how the relative distinguished name (RDN) is to be 
modified. A distinguished name’s RDN is the left-most value in the DN. 
For example, the distinguished name 

uid=ssarette, o=Ace Industry, c=US 


has a RDN of uid=ssarette. 
+ Specify a series of attributes and their changed values. 


The general format of LDIF update statements is as follows: 
dn: distinguished name 

changetype identifier 

change operation identifier 

list of attributes 


change operation identifier 
list of attributes 


IMPORTANT: A hyphen (-) must be used to denote the end of a change 
operation if subsequent change operations are specified. For example, the 
following statement adds the telephone number and manager attributes to the 
entry: 
dn: cn=Brad Cummings, ou=Sales, o=Ace Industry, c=US 
changetype: modify 
add: telephonenumber 
telephonenumber: (408) 555-2468 
add: manager 
manager: cn=Brooke Warren, ou=Manufacturing, o=Ace 
Industry, c=US 
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Change Types 


In addition, the line continuation operator is a single space. Therefore, the 
following two statements are identical: 
dn: cn=Brad Cummings, ou=Sales, o=Ace Industry, c=US 
dn: cn=Brad Cummings, 
ou=Sales, 
o=Ace Industry, 
c=US 


The following sections describe the change types in detail. 


There are four change types that you can use: add, delete, modify, and modrdn. 
Note that you can use the modify change type to add, replace, or remove 
attribute values. 


Adding New Entries with CHANGETYPE:ADD 


Use CHANGETYPE:ADD to add entire new entries. The format of this type 
of change is essentially the same as an LDIF-formatted entry (LDIF is 
described in “Using LDIF” on page 97). The format is 
dn: distinguished name 

changetype: add 

objectClass: objectClass 

objectClass: objectClass 


attribute type: attribute value 
attribute type: attribute value 


Deleting Entries with CHANGETYPE:DELETE 


Deleting Entries with CHANGETYPE:DELETEUse 
CHANGETYPE:DELETE to delete the entire entry. The format is 
dn: distinguished name 

changetype: delete 


Renaming Entries with CHANGETYPE:MODRDN 
Use CHANGETYPE:MODRDN to change the RDN of an entry. In essence, 


this renames the entry. An entry’s RDN is the left-most element in its 
distinguished name. 
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The format is 


dn: distinguished name changetype: modrdnnewrdn: new rdn 
deleteoldrdn: 0|1 


where DELETEOLDRDN indicates whether the old RDN is to be deleted. If 
0 is specified, then the attribute values of the old RDN are included in the entry 
corresponding to the new RDN. 


Modifying Entries with CHANGETYPE:MODIFY 


Use CHANGETYPE:MODIFY to add, replace, or remove attributes and 
attribute values to the entry. When you specify changetype: modify, you must 
also provide a change operation to indicate how the entry is to be modified. 
Change operations include the following: 


+ ADD:ATTRIBUTE: Adds the specified attribute or attribute value. If the 
attribute does not currently exist for the entry, then the attribute and its 
corresponding value are created. If the attribute already exists for the 
entry, then the specified attribute value is added to the existing value. 


+ REPLACE:ATTRIBUTE: The specified values are used to entirely 
replace the attribute’s value. If the attribute does not already exist, it is 
created. If no replacement value is specified for the attribute, the attribute 
is deleted. 


+ DELETE:ATTRIBUTE: The specified attribute is deleted. If more than 
one instance of an attribute exists for the entry, then all instances of the 
attribute are deleted in the entry. To delete just one of many attribute 
instances, specify the attribute and associated value on the line following 
the DELETE:ATTRIBUTE change operation. 


The format is 

dn: distinguished name 
changetype: modify 
add: attribute type 
attribute type: attribute value 
attribute type: attribute value 


replace: attribute type 
attribute type: attribute value 
attribute type: attribute value 
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delete: attribute typeattribute type: attribute value 
attribute type: attribute value-... 


Adding an Entry 


Use CHANGETYPE:ADD to add an entry to your directory. When you add 
an entry, make sure to create an entry representing a branch point before you 
try to create new entries under that branch. If you want to place an entry in a 
Marketing and an Accounting sub-tree, then create the branch point for those 
sub-trees before creating entries within the sub-trees. For example, 

dn: o=Ace Industry, c=US 

dn: ou=Marketing, o=Ace Industry, c=US 


Marketing subtree entries. 
dn: ou=Accounting, o=Ace Industry, c=US 


Accounting subtree entries. 


The following LDIF update statements can be used to create the Marketing 
and the Accounting subtrees and then create entries within those trees: 
dn: o=Ace Industry, c=US 
changetype: add 
objectclass: organization 
organizationName:Ace Industry 
dn: ou=Maketing, o=Ace Industry, c=US 
changetype: add 
objectclass: organizationalUnit 
ou: Marketing 
dn: cn=Pete Minsky, ou=Marketing, o=Ace Industry, c=US 
changetype: add 
objectclass: person 
objectclass: organizationalPerson 
objectclass: inetOrgPerson 
cn: Pete Minsky 
cn: Pete 
sn: Minsky 
ou: Marketing 
uid: pminsky 
dn: cn=Sue Jacobs, ou=Marketing, o=Ace Industry, c=US 
changetype: add 
objectclass: person 
objectclass: organizationalPerson 
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objectclass: 
cn: Sue Jacob 
Sue 
Jacobs 
Marketing 
uid: sjacobs 
dn: 
changetype: a 
objectclass: 
ou: Accountin 
dn: 
changetype: a 
objectclass: 
objectclass: 


objectclass: 

cn: Lisa Niel 

cn: Lisa 

sn: Nielson 

ou: Accountin 

uid: lnielson 
dn: 


changetype: a 
objectclass: 
objectclass: 
objectclass: 


cn: Byron Zur 
cn: Byron 

sn: Zuraski 
ou: Accountin 


uid: bzuraski 


ou=Accounting, 


cn=Lisa Nielson, 


cn=Byron Zuraski, 


inetOrgPerson 
s 


o=Ace Industry, c=US 
dd 
organizationalUnit 

g 

ou=Accounting, 
dd 

person 
organizationalPerson 
inetOrgPerson 

son 


g 


ou=Accounting, 
dd 

person 
organizationalPerson 
inetOrgPerson 

aski 


g 


o=Ace Industry, 


o=Ace Industry, 


c=US 


c=US 


If you are simply adding entries to your directory, you can avoid the 


CHANGETYPE:ADD statement by specifying the -a option on the call to 

ldapmodify. In this case, simply provide LDIF (as opposed to LDIF update 

statements) to ldapmodify. For example, 

dn: o=Ace Industry, c=US 
objectclass: organization 
organizationName:Ace Industry 

dn: ou=Maketing, o=Ace Industry, 
objectclass: organizationalUnit 
ou: Marketing 


c=US 


cn=Pete Minsky, ou=Marketing, c=US 
jectclass: person 

jectclass: organizationalPerson 

jectclass: inetOrgPerson 

Pete Minsky 


Pete 


o=Ace Industry, 
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sn: Minsky 
ou: Marketing 


Deleting an Entry 


You use CHANGETYPE:DELETE to delete an entry from your directory. 
When you delete an entry, make sure that no other entries exist under that entry 
in the directory tree. You can not delete an organizational unit entry unless you 
have first deleted all the entries that belong to the organizational unit. 


The following LDIF update statements can be used to delete the person 

entries: 

dn: cn=Pete Minsky, ou=Marketing, o=Ace Industry, c=US 
changetype: delete 

dn: cn=Sue Jacobs, ou=Marketing, o=Ace Industry, c=US 
changetype: delete 


Renaming an Entry 


You use CHANGETYPE:MODRDN to rename an entry. This rename 
operation allows you to change the left-most value in an entry’s distinguished 
name. For example, the entry 

cn=Sue Jacobs, ou=Marketing, o=Ace Industry, c=US 


can be modified to be 
cn=Susan Jacobs, ou=Marketing, o=Ace Industry, c=US 


but it can not be modified to be 
cn=Sue Jacobs, ou=Accounting, o=Ace Industry, c=US 


The following example can be used to rename Sue Jacobs to Susan Jacobs: 


dn: cn=Sue Jacobs, ou=Marketing, o=Ace Industry, c=US 
changetype: modrdn 
newrdn: cn=Susan Jacobs 
deleteoldrdn: 0 


Because DELETEOLDRDN is 0, this example retains the existing RDN in the 
new entry. The resulting entry would therefore have a common name (CN) 
attribute set to both Sue Jacobs and Susan Jacobs in addition to all the other 
attributes included in the original entry. 
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Modifying an Entry 


In addition to adding, deleting, and renaming entire entries in your directory, 
you can use ldapmodify to modify attributes and their values. 


Deleting an Attribute 


You use CHANGETYPE:MODIFY with the delete operation to delete an 
attribute from an entry. If the entry has more than one instance of the attribute, 
you must indicate which of the attributes you want to delete. 


For example, the following LDIF update statement deletes all instances of the 
telephonenumber attribute from the entry, regardless of how many times it 
appears in the entry: 


dn: cn=Sam Warren, ou=Sales, o=Ace Industry, c=US 
changetype: modify 
delete: telephonenumber 


If you want to delete just a specific instance of the telephonenumber attribute, 
then you simply delete that specific attribute value. 


Deleting an Attribute Value 


You use CHANGETYPE:MODIFY with the delete operation to delete an 
attribute value from an entry. You must then indicate which of the actual 
attributes you want to delete. 


For example, consider the following entry: 
cn=Sam Warren, ou=Sales, o=Ace Industry, c=US 
objectClass: inetOrgPerson 
cn: Sam Warren 
sn: Warren 
telephonenumber: 555-1212 
telephonenumber: 555-5678 


To delete the 555-1212 telephone number from this entry, use the following 
LDIF update statement: 
dn: cn=Sam Warren, ou=Sales, o=Ace Industry, c=US 
changetype: modify 
delete: telephonenumber 
telephonenumber: 555-1212 
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Sam's entry then becomes: 
cn=Sam Warren, ou=Sales, o=Ace Industry, c=US 
objectClass: inetOrgPerson 
cn: Sam Warren 
sn: Warren 
telephonenumber: 555-5678 


Adding Attributes 


You use CHANGETYPE:MODIFY with the add operation to add an attribute 
and an attribute value to an entry. 


For example, the following LDIF update statement adds a telephone number 
to the entry: 
dn: cn=Sam Warren, ou=Sales, o=Ace Industry, c=US 
changetype: modify 
add: telephonenumber 
telephonenumber: 555-1212 


The following example adds two telephone numbers to the entry: 
dn: cn=Sam Warren, ou=Sales, o=Ace Industry, c=US 
changetype: modify 
add: telephonenumber 
telephonenumber: 555-1212 
telephonenumber: 555-6789 


The following example adds two telephone numbers and a manager attribute 
to the entry: 


dn: cn=Sam Warren, ou=Sales, o=Ace Industry, c=US 
changetype: modify 
add: telephonenumber 
telephonenumber: 555-1212 
telephonenumber: 555-6789 


add: manager 
manager: cn=Sally Nixon, ou=Sales, o=Ace Industry, c=US 


Changing an Attribute Value 
Changing an Attribute Value You use CHANGETYPE:MODIFY with the 


replace operation to change an attribute value when there is only a single 
instance of that attribute in the entry. 
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For example, the following LDIF update statement changes Sam's manager 
from Mike Nelson to Denise Olsen: 
dn: cn=Sam Warren, ou=Sales, o=Ace Industry, c=US 
changetype: modify 
replace: manager 
manager: cn=Denise Olsen, ou=Sales, o=Ace Industry, c=US 


If the entry has multiple instances of the attribute, then to change one of the 
attribute values, you must delete the attribute value that you want to change 
and then add the replacement value. For example, consider the following 
entry: 
cn=Sam Warren, ou=Sales, o=Ace Industry, c=US 

objectClass: inetOrgPerson 

cn: Sam Warren 

sn: Warren 

telephonenumber: 555-1212 

telephonenumber: 555-5678 


To change 555-1212 to 555-4321, use the following LDIF update statement: 


dn: cn=Sam Warren, ou=Sales, o=Ace Industry, c=US 
changetype: modify 
delete: telephonenumber 
telephonenumber: 555-1212 


add: telephonenumber 
telephonenumber: 555-4321 


Sam's entry is now as follows: 


cn=Sam Warren, ou=Sales, o=Ace Industry, c=US 
objectClass: inetOrgPerson 
cn: Sam Warren 
sn: Warren 
telephonenumber: 555-5678 
telephonenumber: 555-4321 


Using ldapmodify 
You can perform minimal modifications to directory entries using the Users & 
Groups area of NetWare Web Manager. To perform more complex 


modifications, use ldapmodify with LDIF update statements. 


This section describes how to use ldapmodify. 
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NOTE: In order for users to successfully authenticate to NetWare Web 
Manager, a unique uid attribute must be placed on their directory entries. The 
Users 8 Groups area of NetWare Web Manager automatically creates a uid 
when it creates an entry, and NetWare Web Manager ensures that the uid is 
unique. However, Ldapmodify does none of these things. Make sure that when 
you are creating entries using Idapmodify that you place a unique uid on each 
new user entry. 


Using Quotation Marks 


When using the ldapmodify command line utility, you may need to specify 

values that contain characters that have special meaning to the command-line 
interpreter (such as space [ ], asterisk [*], backslash [\], and so forth). When 
this situation occurs, enclose the value in quotation marks (""). For example, 


-D "cn=Barbara Jensen, ou=Product Development, o=Ace 
Industry, c=US" 


NOTE: Depending on which command-line interpreter you are using, you 
should use either single or double quotation marks for this purpose. Refer to 
your operating system documentation for more information. 


Providing Input from the Command Line 


Using ldapmodify, you can provide LDIF update statements both from an 
input file (using the -f option), and from the command line. If you want to 
provide input from the command line, do not specify the -f option. 


You can also use ldapmodify to collect statements that you enter in the 
command line just as if it were reading the statements from a file. When you 
are done providing statements to the utility, type the character that your 
command-line processor recognizes as the end-of-file (EOF) marker. This 
causes the utility to begin operations based on the input you have supplied. 


Although configurable, the EOF escape sequence is almost always control-D 
(^D) under UNIX* and usually CTRL-z followed by RETURN (4zRETURN) 
under Windows* NT. 


For example, suppose you wanted to specify some LDIF update statements to 
ldapmodify. Then you would do the following: 
prompt> ldapmodify -D bindn -w password -h hostname 
> dn: "cn=Barry Nixon, ou=Manufacturing, o=Ace Industry, 
c=US" 
> changetype: modify 
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delete: telephonenumber 

add: manager 

manager: cn=Harry Cruise, ou=Manufacturing, o=Ace 
Industry, c=US 

A 


> =D 
prompt> 


> 
> 
> 
> 


Commonly Used Idapmodify Parameters 


-W 


To modify an entry or entries in an existing directory, use the ldapmodify 
command-line utility with the following parameters: 


Specifies the distinguished name with which to authenticate to the server. The 
value must be a DN recognized by the directory server or the local directory, 
and it must also have the authority to modify the entries. 


Specifies the password associated with the distinguished name specified in 
the-D option. 


Specifies the name of the host on which the server is running. 
Specifies the port number that the server uses. The default number is 389. 


Specifies the location of the configuration file for the local directory in which to 
perform the search. By default, the location of this file is 


NSHOME\USERDB\LDAP\CONFIG\LCACHE.CONF 


NSHOME is the directory where NetWare Web Manager is installed. This 
parameter is required if you are using this tool with a Netscape local directory. 


Specifies the file containing the LDIF update statements used to define the 
directory modifications. This is an optional parameter. For information on 
supplying LDIF update statements from the command line, refer to “Providing 
Input from the Command Line” on page 83. 


Additional ldapmodify Parameters 


The following parameters offer additional functionality: 
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-V 


Causes the utility to check each attribute value to determine whether the value 
is a valid file reference. If the value is a valid file reference, then the contents 
of the referenced file is used as the attribute value. This is often used for 
specifying a path to a file containing binary data, such as JPEG. For example, 
if you wanted to add a jpegPhoto attribute, then specify the -b option on the 
ldapmodify call. In the LDIF you provide to Idapmodify, include something like 
the following: 


jpegPhoto: /TMP/PHOTO.JPEG 


Ldapmodify will read the contents of into the joegPhoto attribute that you are 
placing on the entry. 


Specifies that the utility runs in continuous operation mode. Errors are 
reported, but the utility will continue with modifications. The default is to quit 
after reporting an error. 


Specifies that the entries are not to be actually modified, but that Idapmodify 
is to show what it would do with the specified input. 


Specifies that referrals are not to be followed automatically. 


Specifies that the utility is to run in verbose mode. 


Example of Idapmodify Used with a Local Directory 


Consider the following scenario using ldapmodify to work with a local 
directory. As the administrator, 


You want to modify entries as specified in the file modify_statements. 
You have configured a special entry for the database administrator that 
has the authority to modify the entries, and that entry has the 
distinguished name of cn=Directory Manager, o=Ace Industry, c=US. 
The database administrator’s password is Top~Secret. 


The server is located on hostname JazzArts. 


The server uses port number 845. 
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Then to modify the entries, first specify the appropriate LDIF update 

statements in the modify_statements file, and then enter the following 

command: 

ldapmodify -D "cn=Directory Manager, o=Ace Industry, c=US" - 
w Top~Secret -h JazzArts -p 845 -C NSHOME/userdb/ldap/ 
config/lcache.conf -f modify statements 


The previous example references the ldapmodify utility that is bundled with 
NetWare Web Manager. 


You can find the ldapmodify command-line utility at the location where 


NetWare Web Manager was installed. Go to the NSHOME/USERDB/LDAP/ 
TOOLS directory. 
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Finding Directory Entries 


You can find entries in your directory using either the Users & Groups area of 
NetWare® Web Manager or the ldapsearch command-line utility. In either 
case, you can use search filters to locate entries. 


Using Idapsearch 


You can use Idapsearch to locate entries in your directory. You can use 
ldapsearch either with the directory server or with a Netscape local directory 
that is bundled with NetWare Web Manager. You direct Idapsearch's actions 
through search filters. Ldapsearch can be located under NetWare Web 
Manager at 


NSHOME\USERDB\LDAP\TOOLS\LDAPSEARCH 


NSHOME is the directory where you installed NetWare Web Manager. 


Search Filters 


Search filters select the entries to be returned after the search is completed. 
Search filters are most commonly used with the ldapsearch command-line 
utility. When you are using ldapsearch, you can place multiple search filters 
in a file, with each filter on a separate line, or you can specify a search filter 
directly on the command-line call to ldapsearch. 


For example, the following filter specifies a search for a common name equal 
to Brooke Davis: 
cn=brooke davis 
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Search Filter Syntax 


The basic syntax of a search filter is 
attribute operator value 


for example, 
employeenumber >= 100 


In this example, employeenumber is the attribute, >= is the operator, and 100 
1s the value. You can also define filters that combine attributes using boolean 


operators. 


The following topics describe search filters in detail. 


Using Attributes in Search Filters 

When searching for an entry, you can specify attributes associated with that 
type of entry. For example, when you search for entries about people, you can 
use the CN attribute to search for people with a specific common name. 
Examples of attributes for entries about users or clients might include 

+ cn—the person’s common name 

+ sn—the person’s surname, last name, or family name 

+ telephonenumber—the person’s telephone number 


+ employeenumber—the person’s employee number 


+ |—the person’s location 


Using Operators in Search Filters 


The following table (Table 3) lists the available search filter operators. 


88 Managing NetWare Web Servers 


Table 3 


Search Operators 





Search Type 


Symbol 


Description 





Equality 


Substring 


Greater than or equal to 


Less than or equal to 


Presence 


Approximate 





=string' string 


Returns entries 
containing attributes set 
to the specified value, 
for example, cn=Bob 
Johnson. 


Returns entries 
containing attributes 
containing the specified 
substring, for example, 
cn=Bob*cn=*Johnsoncn 
=*John*cn=B*John. 


Returns entries 
containing attributes 
that are greater than or 
equal to the specified 
value, for example, 
employeenumber >= 
100. 


Returns entries 
containing attributes 
that are less than or 
equal to the specified 
value, for example, 
employeenumber <= 
100. 


Returns entries 
containing the specified 
attribute, for example, 
cn=*telephonenumber= 
*manager=*. 


Returns entries 
containing the specified 
attribute that is 
approximately equal to 
the specified value, for 
example, 
cn~=surettel~=san 
fransico. 
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Using Multiple Search Filters 


Multiple search operations can be combined using boolean operators 


expressed in prefix notation as follows: 


(boolean operator ( (search operation) (search 


operation) (search operation) ...)) 


where operator is any one of the boolean operators. In addition, multiple 
boolean search operators can be nested together to form complex expressions, 


such as 


(boolean operator (search operation) ( (operator (search 


operation) (search operation))) 


Boolean Operators 


The boolean operators available for use with search filters are explained in the 


following table: 





Description 





Operator Symbol 
And & 

Or 

Not ! 
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All specified filters must 
be true forthe statement 
to be true. For 
example,(&(filter) (filter)( 
filter)...) 


At least one specified 
filter must be true for the 
statement to be true. For 
example, (|(filter) (filter) (fi 
Iter)...) 


The specified statement 
must not be true for the 
statement to be true. 
Note that only one filter 
is affected by the not 
operator. For 
example,(|(filter)) 


Search Filter Examples 


The following filter searches for entries containing the manager attribute. 
This is also known as a presence search. 


manager=* 


The following filter searches for entries containing the common name of 
Ethan Warren. This is also known as an equality search. 
cn=Ethan Warnick 


The following filter returns any entries that do not contain the common name 
of Ethan Warnick. 


(! (cn=Ethan Warnick) ) 


The following filter returns any entries that contain a description attribute with 
a substring of X.500. 


description=*X.500* 


The following filter returns any entries whose organizational unit is Marketing 
and whose description field does not contain the substring X.500. 
(€ (ou=Marketing) (! (description=*X.500*))) 


The following filter returns any entries whose organizational unit is Marketing 
and that list Julie Fulmer or Cindy Zwaska as a manager. 
(& (ou=Marketing) (| (manager="cn=Julie 
Fulmer,ou=Marketing,o=Ace 
Industry,c=US") (manager="cn=Cindy 
Zwaska,ou=Marketing,o=Ace 
Industry,c=US"))) 


The following filter returns any entries that do not represent a person. 
(! (objectClass=person)) 


The following filter returns any entries that do not represent a person and 


whose common name is similar to printer3b. 
(€ (! (objectClass=person)) (cn~=printer3b) ) 


Using Idapsearch 


You can use the Idapsearch command-line utility to locate and retrieve 
directory entries. This utility opens a connection to the specified server using 
the specified distinguished name and password and locates entries based on a 
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specified search filter. Alternatively, this utility can access a Netscape local 
directory and search it for entries. Search scopes can include a single entry, an 
entry’s immediate subentries, or an entire tree or sub-tree. 


Search results are returned in LDIF format. 


Using Quotation Marks 


When using the lIdapsearch command-line utility, you may need to specify 

values that contain characters that have special meaning to the command-line 

interpreter (such as space [ ], asterisk [*], backslash [M, and so forth). When 

this situation occurs, enclose the value in quotation marks (""). For example, 

-D "cn=Barbara Jensen, ou=Product Development, o=Ace 
Industry, c=US" 


IMPORTANT: Depending on which command-line interpreter you are using, 
you should use either single or double quotation marks for this purpose. Refer 
to your operating system documentation for more information. 


Commonly Used Idapsearch Parameters 


-W 


To locate an entry in an existing database, use the Idapsearch command-line 
utility with the following parameters: 


Specifies the distinguished name (DN) a user uses to authenticate to the 
server. This parameter is optional if anonymous access is supported by your 
server. lf specified, this value must be a DN recognized by the directory server 
or the local directory, and it must also have the authority to search for the 
entries. 


Specifies the password associated with the DN that is specified in the -D 
option. This parameter is required if the -D option is specified. 


Specifies the name of the host on which the directory server is running. 


Specifies the port number that the directory server uses. The default number 
is 389. 
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-C Specifies the location of the configuration file for the local directory in which to 
perform the search. By default, the location of this file is 


NSHOME\USERDB\LDAP\CONFIG\LCACHE.CONF 


NSHOME is the directory where NetWare Web Manager is installed. This 
parameter is required if you are using this tool with a Netscape local directory. 


This parameter is supported only if you are using a Netscape local directory 
bundled with NetWare Web Manager. 


-b Specifies the starting point for the search. The value specified here must be a 
distinguished name that currently exists in the database. This parameter is 
optional if the LDAP_BASEDN environment variable has been set to a base 
DN. 


The value specified in this parameter should be provided in double quotation 
marks. For example, -b “cn=Barbara Jensen, ou=Product Development, 
o=Ace Industry, c=US”. 


-S Specifies the scope of the search. The scope can be one of the following: 
+ Base: Searches only the entry specified in the -b option. 


+ One: Searches only the most immediate children of the entry specified in 
the -b parameter. Note that only the children are searched; the actual entry 
specified in the -b parameter is not searched. 


+ Sub: Searches the entry specified in the -b parameter and all of its 
descendants. That is, performs a sub-tree search starting at the point 
identified in the -b parameter. This is the default. 


-l Specifies the maximum number of seconds to wait for a search request to 
complete. Regardless of the value specified here, Idapsearch will never wait 
longer than is allowed by the server’s Time Limit parameter. 

-Z Specifies the maximum number of entries to return in response to a search 


request. Regardless of the value specified here, Idapsearch will never return 
more entries than is allowed by the server's Size Limit parameter. 


Additional Idapsearch Parameters 


To further customize a search, use the following optional parameters: 


-f Specifies the file containing the search filter to be used in the search. Search 
filters are described in Search Filters. Omit this parameter if you want to 
supply a search filter directly to the command line. 
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-u 


-V 


Specifies that the search retrieve the attributes only, not the attribute values. 
This parameter is useful if you just want to determine if an attribute is present 
for an entry and you are not interested in the attribute value. 


Specifies how alias de-referencing is completed. The value can be Never, 
Always, Search, or Find. The default value is Never. 


Specifies that the search is not to be actually performed, but that Idapsearch 
is to show what it would do with the specified input. 


Specifies that referrals are not to be followed automatically. 

Specifies the attribute to use as the sort criteria. The default is not to sort the 
returned entries. If the attribute is the zero-length string (""), the entries will be 
sorted by their DN. 

Specifies that the results be written to a set of temporary files. 


Specifies that the user-friendly form of the DN be used in the output. 


Specifies that the utility is to run in Verbose mode. 


Example of Idapsearch Used with a Local Directory 


Consider the following scenario using ldapsearch to work with a local 
directory. As the administrator, 


+ You want to perform searches based on filters contained in the file 
SEARCHDB. 


+ You want to perform a search for all entries below the marketing sub-tree. 
+ The database administrator’s password is Top~Secret. 
To perform the search, first specify the appropriate search filter in the 
SEARCHDB file and then enter the following command. Note that the local 


directory’s configuration file is a referenced -C option rather than an actual 
database location: 


Example ldapsearch Used with the Directory Server 


Consider the following scenario using ldapsearch to work with the Directory 
Server. As the administrator, 
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+ You want to perform searches based on filters contained in the file 
SEARCHDB. 


+ You want to perform a search for all entries below the marketing sub-tree. 


+ You have configured a special entry for the database administrator who 
has the authority to modify the entries, and that entry has the DN of 
cn=Directory Manager, o=Ace Industry, c=US. 


+ The database administrator’s password is Top~Secret. 
¢ The server is located on hostname JazzArts. 
+ The server uses port number 845. 


To perform the search, first specify the appropriate search filter in the 
SEARCHDB file, and then type the following command: 
-C NSHOME/userdb/ldap/config/lcache. conf 


HINT: The previous command references the ldapsearch tool that is bundled 
with NetWare Web Manager. 


You can find the ldapsearch command-line utility with NetWare Web 
Manager installation in the NSHOME/USERDB/LDAP/TOOLS directory. 


For information on using Secure Sockets Layer (SSL) with this utility, see 
Managing Server Content and Configuring Server Preferences in the NetWare 
Enterprise Web Server Administration Guide. 


You can also specify a search filter directly on the call to the command line. 

If you do this, be sure to enclose your filter in quotation marks ("filter"). Also 

do not specify the -f option. For example, 

ldapsearch -b "cn=marketing, o=Ace Industry, c=US" -D 
"cn=Directory Manager, o=Ace Industry, c=US" -w Top-Secret 
-C NSHOME/userdb/ldap/config/lcache.conf "cn=Ethan Warren" 
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Using LDIF 


You can use the LDAP Data Interchange Format (LDIF) to import and export 
entries into and out of your local directory. For example, when you perform a 
search of your directory using the ldapsearch command-line utility, the 
resulting output is in LDIF format. When you create entries using ldapmodify, 
you use a form of LDIF called LDIF update statements. 


The LDIF Format 


The LDAP Data Interchange Format (LDIF) is used to represent directory 
entries in text form. The basic form of an LDIF entry is 
[id] 
dn: distinguished nameobjectClass: object class 
objectClass: object class... 
attribute type:attribute valueattribute type:attribute 
value... 


HINT: Only the DN and at least one object class definition are required. Also 
required are any attributes required by the object classes that you define for 
the entry. All other attributes and object classes are optional. You can specify 
object classes and attributes in any order. The object classes and attributes 
that you can use with your directory server are defined by the directory server’s 
schema. 


The following table describes the LDIF fields shown in the previous 
definition: 
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Field Definition 





[id] Optional positive decimal number 
representing the entry ID. The 
database creation tools generate this 
ID for you. Never add or edit this 
value yourself. 


dn: distinguished name Specifies the distinguished name for 
the entry. For a complete description 
of distinguished names, refer to “User 
and Group Management’ on page 35 


objectClass: object class Specifies an object class to use with 
this entry. The object class identifies 
the types of attributes allowed and 
required for the entry. 


attribute type Specifies a descriptive attribute to 
use with the entry. The attribute 
should be defined either in 
SLAPD.AT.CONF or with the attribute 
parameter in SLAPD.COMF. A list of 
standard attributes can be found in 
the online documentation that comes 
with the server. 


attribute value Specifies the attribute value to be 
used with the attribute type. 





Continued Lines 


When you specify LDIF, you can break and continue a line by indenting the 
continued portion of the line by a single space. For example, the following two 
statements are identical: 
dn: cn=Jake Lupinski, ou=Accounting, o=Ace Industry, c=US 
dn: cn=Jake Lup 

inski, ou=Accoun 

ting, o=Ace Industr 

y, c=US 
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Creating Databases Using LDIF 


You can create a directory database using LDIF. This is useful when you are 
creating an entire directory database or when you are importing entries from 


another directory service application. 


To create a database using LDIF: 


4 Create an ASCII file containing the entries you want to add in LDIF 


format. See Creating LDIF Entries for more information. 


Separate each entry from the next with an empty line. 


Begin each directory in the database with the top-most, or the root, entry. 
The root point of the directory must represent a suffix you have set for 
your server. For example, if your server has the suffix 

o=Ace Industry, c=US 


the very first entry in your directory must be 
dn: o=Ace Industry, c=US 


As you proceed with your directory creation, make sure that you create an 
entry representing a branch point before you create new entries under that 
branch. If you want to place an entry in a Marketing and an Accounting 
sub-tree, create the branch point for those sub-trees before creating 
entries within those sub-trees. For example 
dn: o=Ace Industry, c=US 

list of attributes and object classes 
dn: ou=Marketing, o=Ace Industry, c=US 

list of attributes and object classes 


Marketing subtree entries. 


dn: ou=Accounting, o=Ace Industry, c=US 
list of attributes and object classes 


Accounting subtree entries. 


Create the database from the LDIF file using the procedure described in 
“Configuring Users and Groups” on page 51. 
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Creating LDIF Entries 


This section explains how to create a series of entries using LDIF to describe 
the people in your organization. For general formatting of an LDIF entry, see 
“The LDIF Format” on page 97 


Note that you can, and will, create more types of entries than are discussed 
here. However, organizational person entries are the most common type of 
entry that you will store in your directory, so this is the kind of entry used for 
these examples. 


Specifying Entries for an Organizational Person 


Specifying Entries for an Organizational PersonThe most common type of 
entry that you will include in your directory will describe a person within your 
organization. The LDIF you specify to define an organizational person should 
appear as follows: 
dn: distinguished namecn: common namesn: surnamelist of 

optional attributes... 

objectClass: top 

objectClass: person 

objectClass: organizationalPerson 

objectClass: inetOrgPerson 


The following defines each aspect of the LDIF-formatted entry: 
Distinguished Name (dn): Specifies the DN for the entry. A DN is required. 
Common Name (cn): Specifies the common name for the person, the full 
name commonly used by the person. For example, cn: Bill Anderson. A 


common name is required. 


Surname (sn): Specifies the person’s surname, or last name. For example, 
sn: Anderson. A surname is required. 


List of Attributes: Specifies the list of optional attributes that you want to 
maintain for the entry. 


Object Class (top): Specifies the top object class. This object class 


specification is optional. Some older LDAP clients will require the existence 
of the TOP object class during search operations. 
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Object Class (person): Specifies the person object class. This object class 
specification should be included because many LDAP clients will require the 
existence of object class person during search operations for a person or an 
organizational person. 


Object Class (organizationalPerson): Specifies the organizationalPerson 
object class. This object class specification should be included because some 
LDAP clients will require the existence of object class organizationalPerson 
during search operations for an organizational person. 


Object Class (inetOrgPerson): Specifies the inetOrgPerson object class. 
The inetOrgPerson object class is recommended for the creation of an 
organizational person entry because this object class includes the widest range 
of attributes. 


Example of the Syntax in an LDIF File 


The following example shows an LDIF file that contains three organizational 
person entries: 
dn: cn=June Rossi, ou=accounting, o=Ace Industry, c=US 
cn: June Rossi 
sn: Rossi 
givenName: June 
mail: rossi@aceindustry.com 
userPassword: {sha}KDIE3AL9DK 
telephoneNumber: 2616 
roomNumber: 220 
objectClass: top 
objectClass: person 
objectClass: organizationalPerson 
objectClass: inetOrgPerson 
dn: cn=Marc Chambers, ou=manufacturing, o=Ace Industry, c=US 
cn: Marc Chambers 
sn: Chambers 
givenName: Marc 
mail: chambers@aceindustry.com 
userPassword: {sha}jdl2alem87dlacz1l 
telephoneNumber: 2652 
roomNumber: 167 
objectClass: top 
objectClass: person 
objectClass: organizationalPerson 
objectClass: inetOrgPerson 
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dn: cn=Robert Wong, ou=manufacturing, 
cn: Robert Wong 
cn: Bob Wong 
sn: Wong 
givenName: Robert 
givenName: Bob 
mail: bwong@aceindustry.com 
userPassword: {sha}nn2msx761 
telephoneNumber: 2881 
roomNumber: 211 
objectClass: top 
objectClass: person 
objectClass: organizationalPerson 
objectClass: inetOrgPerson 
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o=Ace Industry, 


c=US 
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